The present disclosure relates generally to communication networks, and, more particularly, to methods, systems, and computer program products for managing firewalls that control access to communication networks.
Communications networks are widely used for nationwide and worldwide communication of voice, multimedia and/or data. As used herein, communications networks include private networks, public communications networks, such as the Public Switched Telephone Network (PSTN), terrestrial and/or satellite cellular networks and/or the Internet.
Private networks, such as networks used by businesses and other entities, are typically connected to public networks, such as the Internet, as such private networks may include servers that provide various retail or other e-commerce services to Internet users. Such internet-connected networks are often subject to attack from unauthorized users. Such attacks may compromise confidential information or consume server resources.
A variety of techniques have been devised for protecting such devices. For example, a device protecting a network may maintain a “whitelist” of internet addresses that are allowed to access the server. However, such whitelists may need to be updated (often manually) as users move from one location to another. Other techniques for protection include “port knocking,” in which a coded sequence of TCP (transmission control protocol) SYN (synchronize) requests to specific ports to authenticate a user, and “single packet authorization” (SPA), in which a specially coded packet authenticates a user and data.
Some access control techniques involve the use of firewalls. Typical firewall devices inspect and filter traffic before making a decision on what to do with a packet. They commonly have two interfaces, an internal interface and an external interface. The external interface may communicate with a router connected to the Internet, while the internal interface may communicate with a local router or private network. Packets received at the external interface are generally passed or rejected according to criteria associated with the firewall. For authorized packets, the firewall typically performs network address translation (NAT) and routes the modified authorized packets towards their destinations. A “transparent” firewall foregoes such routing operations by filtering at the data link layer instead of the network layer, acting like a network bridge rather than a router. Transparent firewalls are also referred to as in-line, shadow, stealth or bridging firewalls. Firewalls are generally managed by a security administrator using various tools to process change requests to the configurations of the firewalls.